LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices

View Poll Results: Do you use sudo or the root account to gain root privileges?
sudo 43 50.00%
log in as root 43 50.00%
Voters: 86. You may not vote on this poll

Reply
 
Search this Thread
Old 04-19-2011, 09:52 AM   #61
MBybee
Member
 
Registered: Jan 2009
Location: wherever I can make a living
Distribution: PC-BSD / FreeBSD / Debian / Ubuntu / Win7 / OpenVMS
Posts: 438

Rep: Reputation: 57

Quote:
Originally Posted by John VV View Post
why ?
sudo ### can open up a hole but is BETTER for some situations.
What hole does sudo open that having the root password doesn't also open? Sudo can be used in a secure environment in a similar fashion to a setuid root, but with a higher degree of safety (since only users/groups specifically allowed can perform specifically allowed functions).

Unless you mean that "ALL=(ALL:ALL) ALL" type stuff Ubuntu likes to use, which is perhaps just almost the same as logging in as root really. If I use sudo on a machine, it's a ton more restrictive for general users.
 
Old 04-19-2011, 12:43 PM   #62
orgcandman
Member
 
Registered: May 2002
Location: dracut MA
Distribution: Ubuntu; PNE-LE; LFS (no book)
Posts: 594

Rep: Reputation: 102Reputation: 102
Quote:
Originally Posted by MBybee View Post
What hole does sudo open that having the root password doesn't also open? Sudo can be used in a secure environment in a similar fashion to a setuid root, but with a higher degree of safety (since only users/groups specifically allowed can perform specifically allowed functions).

Unless you mean that "ALL=(ALL:ALL) ALL" type stuff Ubuntu likes to use, which is perhaps just almost the same as logging in as root really. If I use sudo on a machine, it's a ton more restrictive for general users.
- having the root password -

That's a key requirement to logging in as root, which is removed when one uses sudo.

Additionally, it's very difficult to properly secure sudo such that it gives only the functionality desired. For instance, cp/tar/chown/chmod/etc. can all be used to completely own the system if the following is true:

1) I have login to an unprivileged user
2) I have that user's password (if required for the user to sudo)
3) that user is allowed to sudo any one of those commands as root (and they're not completely 100% spelled out)

sudo is VERY powerful, VERY confusing, and VERY often misconfigured. Give me any command where I can write a file as super-user, and your system is mine. Give me any command where I can leak information reserved to a super-user, and your system will probably be mine. And in both of these cases, the audit trail can't even be trusted (unless you log it off the box... you DO log to a separate machine, right?).

Please note: I don't sit on one side or the other of this debate. I know what I use, and I am comfortable with it. There are tradeoffs that will always apply, and make some security objectives unattainable, while providing others. The best you can do is lock down what you can lock down, mitigate what you can mitigate, and keep a vigilant eye towards your systems for any type of suspicious activity. But that's all common knowledge (I think).
 
1 members found this post helpful.
Old 04-19-2011, 12:55 PM   #63
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,785
Blog Entries: 1

Rep: Reputation: 414Reputation: 414Reputation: 414Reputation: 414Reputation: 414
Quote:
Originally Posted by orgcandman
But that's all common knowledge (I think).
Go hang out in Security for a bit and you'll find out just how grotesquely uncommon it is.
 
3 members found this post helpful.
Old 04-19-2011, 02:38 PM   #64
MBybee
Member
 
Registered: Jan 2009
Location: wherever I can make a living
Distribution: PC-BSD / FreeBSD / Debian / Ubuntu / Win7 / OpenVMS
Posts: 438

Rep: Reputation: 57
Quote:
Originally Posted by orgcandman View Post
- having the root password -

That's a key requirement to logging in as root, which is removed when one uses sudo.

Additionally, it's very difficult to properly secure sudo such that it gives only the functionality desired. For instance, cp/tar/chown/chmod/etc.
These are not commands that should *ever* be allowed in sudo - sudo (on a desktop) is for things like shutdown. On a server, sudo should be configured to allow specifics like 'cancel' or specialty programs that would otherwise be run with setuid. I shudder to think someone would allow cp/tar/chown/chmod etc without specifying the entire command to be issued at the very least.

I'll agree that most people don't configure *most* things properly. I disagree that sudo is difficult to secure
This, btw, is the difference between "your neighbor's kid who uses linux" and a professional 80-100k/year sysadmin. Someone on my team here would be fired immediately for something most "good with linux" people wouldn't even notice or care about. Of course, properly secured systems also limit logins to the very fewest possible people, and audit(tripwire, whatever you like to use) every single thing they do. Even things like someone who has permissions modifying a system without proper change control will result in dismissal. Su/sudo by themselves are nothing without the proper framework to fix the underlying *social* issues. Someone caught logging into root bypassing sudosh or other logging measures would be fired on the spot.

For desktops though, the main focus of this forum, the default user having sudo with everything is really no different from having root.
 
2 members found this post helpful.
Old 04-20-2011, 05:51 AM   #65
geforce
LQ Newbie
 
Registered: Apr 2010
Posts: 5

Rep: Reputation: 1
every admin has a own user over ldap. nobody knows root password.
if a admin need privilege access, they can use su - and if the user in the right group then he has root privilege

it's not the wheel group is for every server-group other and will managed over ldap. every su - will be reported
to the moste admin that they know a root is working on a maschine.
 
1 members found this post helpful.
  


Reply

Tags
root, sudo


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
sudo cd /root gives 'sudo: cd: command not found'. stf92 Linux - Newbie 4 03-03-2012 09:05 AM
After improper shutdown, 1 user can't startx (KDE), sudo, OR su. Root account is ok! ShellyCat Linux - Desktop 2 09-19-2010 03:56 AM
Can't use sudo, only account that's not root is not a sudo'ers [Ubuntu 9.10] randyriver10 Linux - Desktop 1 01-09-2010 07:56 PM
is it legitimate and allowed and can be done to make another user account set uid and gid to null 0 to make another root account with different name and possibly not damage the debian system creating and using that new account BenJoBoy Linux - Newbie 12 01-29-2006 10:02 AM
Want2use /sbin cmds undr non-root account w/o sudo. Is it safe 2 add /sbin 2 my PATH? kornerr Linux - General 4 02-25-2005 09:29 AM


All times are GMT -5. The time now is 05:05 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration